Klue OAuth Breach Exposes Salesforce Data - June 2026

This attack follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises. Google Threat Intelligence Group (GTIG) confirmed UNC6395 began targeting Salesforce instances via compromised OAuth tokens as early as August 8, 2025. The Gainsight incident followed on November 19-21, 2025, when Kudelski Security documented unauthorized OAuth token misuse forcing Salesforce to revoke all tokens and temporarily pull the app from AppExchange. Klue is now the third chapter in that same series.

How did attackers get inside Klue?

The entry point was a single forgotten credential. Icarus exploited a dormant account that Klue had created to prototype a third-party integration the company later abandoned - but never deprovisioned. That stale credential remained active and fully valid. Huntress, which investigated the incident after confirming its own data was stolen, found that attackers pivoted from that forgotten account directly into Klue's core infrastructure to extract customer OAuth tokens at scale.

One unused credential opened the door to a full infrastructure pivot. The 2025 Verizon Data Breach Investigations Report found stolen credentials were the initial access vector in 22% of all confirmed breaches - and in Basic Web Application attacks that share rises to 88%. This incident fits that pattern precisely. A broader problem underlies it: according to Material Security, 88% of organizations carry ghost users - stale but enabled accounts that still hold live access to sensitive systems.

For context on how attackers similarly abuse forgotten access controls in other SaaS platforms, see our coverage of broken Entra access controls that exposed FIFA World Cup streams - the underlying failure is the same: access granted and never revoked.

Who is affected?

Huntress is the highest-profile confirmed victim so far - notable because it is itself a cybersecurity company. According to BankInfoSecurity's June 2026 report, Klue counted 190,000 users as of September 2025 and serves roughly 500 enterprise customers, with names like Adobe, Dell, and Shopify on its roster. The exact number of organizations that lost data has not been confirmed publicly.

Salesforce stated the incident "does not arise from a vulnerability within the Salesforce platform" and is limited to Klue's app connection. The platform disabled Klue Battlecards' connection on June 17, 2026, per BleepingComputer. The six-day window between initial compromise and platform-level revocation is significant: IBM research cited by Bright Defense puts the average detection-and-containment time for credential breaches at 292 days, making a six-day response unusually fast - though still long enough for substantial data exfiltration.

The supply-chain dimension here mirrors what we covered in the DragonForce C2 abuse of Microsoft Teams infrastructure - trusted vendor relationships become attack surface when monitoring is absent.

Who is the Icarus extortion group?

Icarus is a relatively new threat actor. The group claims operations dating back to April 28, 2026, and maintains a dark web leak site listing two victims prior to Klue, as first reported by Dark Reading. Beyond those self-reported dates and victim listings, little is independently confirmed about the group's composition or geographic origin.

What is clear from the operational pattern is target selection logic. NHIMG research found that 72% of organizations have experienced breaches of non-human identities - service accounts, API tokens, OAuth credentials - and when cloud credentials are exposed, attackers attempt access within an average of 17 minutes. Whether Icarus targets SaaS OAuth integrations systematically or found this vector through opportunistic reconnaissance remains unconfirmed.

What platforms were disabled during the response?

Klue took broad action to contain the incident. The company disabled integrations across nine platforms while its investigation was active:

• Salesforce
• HubSpot
• SharePoint
• Zoom
• Gong
• Chorus
• Clari
• Google Drive
• Slack

That list shows the wide surface area a competitive intelligence tool like Klue needs to function. Compromising one vendor's backend exposed nine downstream systems simultaneously. According to NordLayer's analysis of the 2025 Verizon DBIR, the share of breaches involving a third-party component roughly doubled to 30% in 2025, with multi-tenant SaaS campaigns harvesting OAuth tokens and CRM data across many organizations.

This SaaS sprawl problem is not unique to Klue. We have tracked similar third-party access risks in malicious JetBrains plugins that stole AI API keys from 70,000 installs - the attack surface grows wherever credentials and tokens are issued and forgotten.

What should you do now?

If your organization connected Salesforce or any other listed platform to Klue Battlecards, take these steps immediately.

When we reviewed the Huntress incident report and cross-checked it against standard Salesforce OAuth revocation procedures, we confirmed the steps below reflect the fastest path to cutting off any active token-based access.

1. Revoke the Klue OAuth connection in Salesforce by navigating to Setup > Connected Apps OAuth Usage and revoking all tokens associated with the Klue Battlecards app.
2. Audit OAuth grants across all nine affected platforms and revoke any active Klue tokens.
3. Review Salesforce login history and API usage logs under Setup > Login History for unusual access between June 11 and June 17, 2026 - look for API calls outside normal business hours or from unfamiliar IP ranges.
4. Search your Salesforce event log files for EventType = 'API' entries tied to the Klue Connected App during the breach window.
5. Audit all third-party OAuth applications in your environment for dormant or deprovisioned integrations - exactly the type Icarus exploited inside Klue.
6. Contact Klue directly to confirm whether your organization's tokens were collected, and request written notification under applicable breach disclosure requirements.
7. Brief your security team on the Huntress incident report for full technical indicators and timeline detail.

For a structured approach to locking down Microsoft 365 OAuth and app access, our guide on blocking Microsoft 365 apps with Conditional Access policies applies the same revoke-and-gate logic to the Entra/Azure surface. Separately, if you run Attack Surface Reduction rules, verify your posture with our ASR rules deployment guide for sysadmins.

Frequently asked questions

Is Salesforce itself vulnerable?

No. Salesforce confirmed the breach does not stem from any flaw in the Salesforce platform. The problem lived entirely in Klue's backend, where attackers injected code to capture OAuth tokens before normal authentication. Salesforce proactively disabled the Klue connection on June 17, 2026, and has not identified any platform-level exposure.

Does revoking OAuth tokens stop ongoing access?

Yes - revocation is immediate. Once an OAuth token is revoked, any session using it becomes invalid instantly. Attackers who copied and used tokens during the June 11-17 window may have already exfiltrated data, so revocation stops future access but does not undo past exposure. Treat the revocation as a starting point, not an endpoint.

Why did Klue disable nine platforms if the breach targeted Salesforce?

The malicious code collected OAuth tokens broadly, not only Salesforce ones. Klue disabled all integrations as a precaution because tokens for HubSpot, Slack, Google Drive, and the other six platforms were also potentially harvested. The Salesforce connection received the most attention because it is the third in an ongoing series of attacks targeting that ecosystem specifically.

What is a Battlecard, and why does it need so much data access?

A Battlecard is a competitive intelligence document that Klue compiles automatically by pulling product, pricing, and customer data from multiple business tools. That function requires read access to CRM records, call recordings, deal data, and documents - which is why Klue held active OAuth connections to nine separate platforms simultaneously.